Access to Information Implementation Notice 2023-01: Amendments to Access to Information Regulations
1. Effective date
This implementation notice takes effect on August 25, 2023.
2. Authorities
This implementation notice is issued pursuant to paragraph 70(1)(c) of the Access to Information Act (ATIA).
3. Purpose
This implementation notice provides guidance to government institutions on the amendments made to the Access to Information Regulations (ATIR) that came into force on June 23, 2023, and clarifies that the amended regulations are not expected to have operational impacts on current practices.
4. Context
The ATIA came into force in 1983 giving the Governor in Council regulation-making powers. Section 71 of the ATIA lists the Governor in Council’s regulation-making powers, including the ability to prescribe procedures to be followed in making and responding to access to information (ATI) requests under the ATIA and the related fees that can be charged by institutions for a request.
In May 2016, through section 7.5.1 of the Interim Directive on the Administration of the Access to Information Act, the Government of Canada made a policy decision to direct government institutions to waive all fees prescribed by the Act and regulations, other than the application fee, which is paid at the time the request is made.
On June 21, 2019, Bill C-58 (An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts) received royal assent, introducing changes to the ATIA. One of those changes repealed the Governor in Council’s power to fix search and preparation fees by regulations.
The policy and legislative changes described above caused operational practices to evolve. To ensure a similar evolution, the ATIR needed updates to bring them into consistency with current practices related to fees, the confirmation of the right of access, as well as identity verification when personal information is being requested through the ATIA.
This led to the ATIR amendments that came into force on June 23, 2023. The amendments relate to:
- repealing search and preparation fees
- clarifying the identity requirements applicable to requesters
- introducing editorial changes to the regulations
These regulatory amendments are in line with Privacy Regulations and identity requirements applicable to requesters.
5. Guidance
The amendments to the ATIR are not intended or expected to have an impact on current operational practices. As mentioned above, most institutions already have practices and procedures in place for confirming the right of access or identity verification when records contain personal information.
5.1 Elimination of search and preparation fees
Before the amendments, the ATIR allowed the collection of two types of fees: the application fee and various fees for the search and preparation of requested records.
Bill C-58 introduced changes to the ATIA, and one of those changes repealed the Governor in Council’s power to fix search and preparation fees by regulations. Regulatory provisions pertaining to fees other than the application fee became inapplicable and have now been updated, ensuring coherence between the ATIR and the ATIA. Since 2016, following a change in policy, government institutions have only been permitted to charge an application fee when responding to ATI requests. This update to the regulations reflects current operational practices.
5.2 Identification requirements
The amended ATIR allows institutions to seek:
- additional information to confirm the right of access, if the request itself or other confirmation methods do not provide sufficient information to establish such a right
- adequate identification, when the requested records contain the requester’s personal information, and their identity has not been otherwise confirmed
5.2.1 Right of access
A government institution must receive some evidence to be reasonably satisfied of the requester’s right of access. In the vast majority of cases, the information received by the institution via the ATI request form or otherwise will suffice to establish a right of access. Adequate indicators contained in the request may consist of:
- the requester’s attestation of eligibility, as indicated in an online submission
- the requester’s contact information, including name, address and telephone number
- postmark, if the request was submitted by mail
- the institution’s prior knowledge of the requester’s identity; this includes when the person indicates an assigned file or case number or another verifiable unique identifier, and when the requester refers to a previous access to information request to which they were the originator, or
- the requester’s identity document should the person choose to submit such a document along with their request
Subsection 4(2) of the amended ATIR provides the authority for institutions to conduct verifications and request additional information from the person making the request, when the information contained in the request or other confirmation methods are insufficient to establish that the requester has a right of access under section 4 of the ATIA. This should not result in unnecessary barriers or undue delay to the right of access. Requesting additional information should be done as a last resort in situations where there is doubt regarding the requester’s right of access, for example, doubt of actual presence in Canada, residency or citizenship. This can occur, for example, when an institution receives inconsistent or contradictory information from a requester as it relates to the right of access.
In case of doubt regarding the accuracy of the information initially received when seeking to confirm the right of access (for requests not submitted online), the Appendix provides a model attestation letter that could be used by institutions that do not already have similar or other such practices in place. If used, the letter can be adapted to suit the institution’s specific needs.
In certain cases, institutions may determine that further information is required to confirm the right of access and would potentially be collecting additional personal information in accordance with the Standard Personal Information Bank for Access to Information and Privacy Act Requests (PSU 901). Procedures must be in place to properly collect and manage this information in accordance with the Privacy Act, Privacy Regulations and privacy policies.
During the verification process, when informing the requester that further information is required to verify their right of access, it is a best practice to advise them that their request will be put on temporary hold until their right of access can be confirmed.
If the requester does not provide the requested information within a reasonable timeline indicated by the institution, the request may be considered abandoned, and the file may be closed. Before closing the file, institutions are encouraged to send a final notice to the requester. Requesters must also be informed of their right to complain to the Office of the Information Commissioner of Canada with respect to the processing of their request.
5.2.2 Requesting personal information
While the Privacy Regulations specify that a requester must provide identification before access to personal information is granted, there was no similar regulatory requirement under the ATIR, even though personal information is often requested under the ATIA regime.
To clarify well-established current procedures and ensure that the requester’s privacy is equally protected under the ATI regime as under the privacy regime, the amended regulations provide the regulatory authority for institutions to seek adequate identification from requesters, when the requested records via the ATIA regime contain their personal information and their identity has not been otherwise confirmed (section 5 of the ATIR). If it is determined that additional information is required for identity verification purposes, Privacy Implementation Notice 2022-02: Identity Verification for Personal Information Requests must be followed, with the necessary adaptations.
This approach ensures compliance with section 19 of the ATIA, which generally prohibits the disclosure of personal information in the context of an ATI request, unless one of the conditions in subsection 19(2) is met. A risk-based approach should be taken when determining whether the personal information already provided is adequate to validate identification. Where the sensitivity of the requested information is relatively low and the identity is reasonably assured as per the Directive on Identity Management, institutions should facilitate the right of access. However, as the sensitivity of the information and the potential injury to the individual increases, the standard for adequate identity verification rises and preventing breaches should be prioritized. There may also be scenarios where there are reasons to doubt the identity of the requester, for example, if conflicting information is provided compared to what is on file. The Treasury Board of Canada Secretariat’s Assurance Level Requirement tool can assist in assessing the sensitivity of the information, and the Directive on Identity Management - Appendix A: Standard on Identity and Credential Assurance provides guidance on the identity requirements.
During the process of verifying the requester’s identity, it is a best practice to advise the requester that personal information will not be disclosed under the ATIA until their identity can be confirmed. At this point, if the request pertains uniquely to records containing personal information, or the personal information cannot be reasonably severed from the requested records, or responding to the request without confirming identity would in and of itself reveal the personal information, the request may be put on hold. If the requester fails to provide adequate identification within a reasonable timeline indicated by the institution, the request may be considered abandoned, and the file may be closed.
Before closing the file, institutions are encouraged to send a final notice to the requester. Requesters must also be informed of their right to complain to the Office of the Information Commissioner of Canada with respect to the processing of their request.
If, however, the personal information can be reasonably severed from other non-personal information to which the requester has a right of access, then the institution must process the request and sever the personal information from the records to be disclosed, as appropriate.
5.3 Editorial changes
Editorial changes in the wording used in the regulations were made, specifically in sections 4, 7 and 8, in which “the Act” was replaced with “Part 1 of the Act,” creating consistency in the wording used in the ATIR and the ATIA.
6. Application
This implementation notice applies to the government institutions as defined in section 3 of the ATIA, including parent Crown corporations and any wholly owned subsidiary of these corporations. However, it does not apply to the Bank of Canada.
7. References
Legislation
Related policy instruments
Related guidance instruments
8. Enquiries
Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information at publicenquiries-demandesderenseignement@tbs-sct.gc.ca about this implementation notice.
Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.
ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Access to Information Policy and Performance Division at ippd-dpiprp@tbs-sct.gc.ca for information about this implementation notice.
Appendix: Right of Access Attestation Letter
Our file: [file number]
[date]
[requester’s name and address]
Dear [name of requester],
This is to acknowledge that your request of [date of request] was received in this office on [date received]. We note that, pursuant to the Access to Information Act (ATIA), you wish to obtain the following information:
[full text of request]
In order to process your request, we must confirm your right of access under section 4 of the ATIA. As such, we would require that you complete the attestation below. Please indicate in which capacity you are seeking the information by checking the applicable box below, and sign and date the attestation.
I am seeking access to records as:
- ▢ a Canadian citizen
- ▢ a permanent resident or an individual present in Canada or
- ▢ a corporation present in Canada
I hereby attest that I meet at least one of the eligibility criteria listed above that confirms my right of access and that I have selected the corresponding box.
Signature: _________________________
Name (print): _________________________
Date: _________________________
We require that you mail or email us this attestation letter once signed and dated. Upon receipt, we will be pleased to process your request. In the meantime, please note that your request is temporarily on hold and will be considered abandoned if we do not receive your attestation by [date the response is due].
Please be advised that you are entitled to complain to the Information Commissioner of Canada concerning the processing of your request within 60 days after the day that you become aware that grounds for a complaint exist. In the event you decide to avail yourself of this right, your notice of complaint should be addressed to:
The Information Commissioner of Canada
30 Victoria Street, 7th Floor
Gatineau Quebec K1A 1H3
Telephone: 613-995-2410 (National Capital Region)
1-800-267-0441 (toll-free)
Should you have any questions or concerns, please do not hesitate to contact [name of ATIP Officer] at [Officer’s telephone number] or by email at [Officer’s email address].
Sincerely,
[Coordinator’s name and title]
[Mailing address]
Page details
- Date modified: